Main navigation

Last Week on My Mac: Don’t trust update aggregators

For many years, one of my routine daily web visits has been to a software update aggregation service, to check for new updates. My favourite has not been MacUpdate, thankfully, which in the last few days has once again been found to have been inadvertently distributing malware by proxy.

Since I first started visiting update aggregators, the threat landscape has changed considerably. Those who develop and distribute malware now target all online sources of software products, including update sites.

They have hit Apple’s App Store with XcodeGhost, delivering malicious apps to millions of users in east Asia for around six months before its detection. They have hit a succession of individual providers, some repeatedly; the most recent victim was Eltima, for example, whose software delivery and update service must now be one of the most secure. They have also hit update aggregators: this is at least the third time that MacUpdate has generously helped its users to install malware, the last incident involving Eleanor.

There seems no escaping the fact that our sources of new software and updates will continue to be under attack, and that, from time to time, they will deliver us malicious software. So we need strategies to minimise the risk to our Macs.

One solution might be to return to physical media, at least for new purchases. With rapid delivery services from almost any part of the world, this is not such a bad alternative, but major intermediaries like Apple would lose a lot of revenue. Besides, no Macs now ship with optical drives, so finding a way to install cheap distribution media wouldn’t be easy for the great majority of Mac users.

Given that we are going to have to rely on online distribution, the burden of minimising risk is placed on distributors. And given that breaches will continue to occur, one of their most important tasks is responding to such breaches. In this respect, this week’s new malware, OSX.CreativeUpdate, is an excellent lesson in what not to do.

In the case of the three malicious updates known to have been offered by MacUpdate, none was actually hosted on MacUpdate’s servers. All the aggregator did was to provide bogus links, so that users who thought that they were being connected with the vendor’s download were actually hijacked to the malware delivery sites (which were being hosted on Adobe’s servers, hence the name of this malware).

For an aggregator providing off-site links to downloads, this is pretty well the oldest trick in the book. All the malware provider has to do is find somewhere plausible to host their downloads, and convince the aggregator to post the links.

It is salutory to look at what MacUpdate has done since being alerted to the fact that they posted bad links on their site. Over 24 hours later, the only mention of this major security breach on MacUpdate is in the comments to those three specific updates. There have been no warnings on MacUpdate’s front page, or even on the product pages themselves, only in their comments.

For those who pay MacUpdate a suscription for the privilege of receiving free links to download malware, using its MacUpdate Desktop app, they don’t even get to see those comments.

MacUpdate doesn’t appear to have made any attempt to identify which users might have been affected – something which may be impossible given their site design – nor to contact them. At no time did MacUpdate take its servers offline to check whether other updates might have been affected, but has relied on others informing it which appear to be.

Indeed, after recognising the problem with Firefox, the editor responsible denied that any other update was affected, until a user put them right. For all we know, other update links on MacUpdate may well point to malicious sites. MacUpdate has not revealed that it has even checked to find out.

The only comment about what MacUpdate intends to do about any of this has been written by the editor concerned: “It’s unfortunate that this type of hack has come to the Mac platform, but we are now more aware, and promise to be more diligent in protecting all of you in future.”

As an update aggregator, MacUpdate’s business is delivering trustworthy updates to its users. For an unknown period, it unwittingly ensured delivery of malware to an unknown number of its customers. In any other line of business, this would quite rightly result in its rapid collapse and closure.

Update aggregation is a vulnerable trade. In its handling of this breach, MacUpdate has done itself no favours. It has drawn attention to the vulnerability of aggregation services, to its own weakness in handling those, and in its inadequate response to this breach. I expect that this will prove the final nail in the coffin of what was once a valuable service.

Would you ever visit an update aggregator’s website again and click on one of its links?

Postscript:

Since writing this, @tweet2oi has tweeted a counsel of perfection: “It’s very important that users check Developer signature, MD5/SHA checksums (if provided), look in VirusTotal for these checksums, etc.”

I suspect that the great majority of macOS users wouldn’t know how to do any of those, and that hardly any do. Most assume that it’s Gatekeeper’s job to check signatures, and the job of macOS to perform other checks, for example on disk images. I also think that it is a reasonable expectation that users who pay a subscription to an update aggregator and run their software, should have such tasks performed by that software, to ensure that updates delivered through the aggregator are genuine.

Users usually can do more to protect themselves, but they should also be able to put reasonable trust in macOS and update services to exercise due diligence to protect them. If macOS or update services fail to do as much as they can to protect users, then the users should stop using that product.

MacUpdate’s Response:

I thought it only appropriate to show the response of one of MacUpdate’s VPs to Thomas Reed’s report of this breach, on Twitter:

To be fair to Boettcher, in a tweet of 15:08 on 2 February, he reported that “We are in the process of checking that we have caught any and all fraudulent submissions. We have posted in the comments of each suspected app.”

Meanwhile the @MacUpdate Twitter account hasn’t even mentioned the breach, nor its release of malware. I’ll leave it to you to decide whether you think that is adequate response to such a serious incident.

Thanks to @macinteractive for passing on this staggering response to such a major security breach.

Related

12Comments

Nowadays, it’s better to use a solution like Autopkg (and the GUI Autopkgr) to check for updates automatically. Links can’t be changed without being warned. And only way to have a malicious software is if the vendor is infected himself…

Thank you.
Before everyone rushes off to look at AutoPkgr, although it does look very interesting, I suspect that it is overly complex for most users of single Mac systems. It looks ideal for those who use more complex tools, or manage several Macs, but there is significant effort in setting it up in the first place.
I’m also not clear how compatible it is with High Sierra, which isn’t mentioned on the site.
Howard.

It sure is more useful for people using/managing multiple computers, specially when linked with something like Munki to automate installation of the softwares. In fact, if you have more than 2 computers you NEED it absolutely.

Autopkg/Autopkgr work both very well with High Sierra. Autopkgr is very simple to use when you understand how it works :
There are several repositories, some officials and some not. Repos contain recipes which describe which software to download and repackage.

If your goal is just to automatically download the new versions of softwares, just use the .download recipes. If you want to repackage them, use the .pkg, if you want to use it with munki, use the .munki recipes.
For example, for some of your tools, i created some recipes that are not yet in the official repos : https://github.com/jpiel/jpiel-recipes.git

Everyone can make his own recipes if he can’t find the one he need.

The point with autopkg is that when a recipe is changed (may be the link modified or anything else and it really doesn’t happens often), autpkgr doesn’t want to use it without an action on your part to validate the new recipes.

When associated with munki, you set it up and you forget it… And you forget also to update anything.

One of the most disappointing aspects of the recent MacUpdate situation is the poor communications from MacUpdate, especially to subscribers. I finally received an email from MacUpdate today regarding the situation. It’s bad enough that MacUpdate did not quickly and clearly communicate the issue to all users and potential users through any number of available channels, but it is absolutely inexcusable that it took several days to notify its paying customers after the news became public.

The email included a link to an AppleScript intended to detect and remove the malware. While I suppose I appreciate the effort they put into writing an AppleScript, I can’t say that I am in any way inclined to click on a url-shortened link from them.

For reference, here is the email I received:

“On February 1, 2018, we investigated suspicious download links for Firefox, Onyx and Deeper. We discovered these links downloaded files which contained a new malware threat, specifically a Bitcoin mining framework. Our records indicate that you may have downloaded one of these files during the brief period when the links were available on MacUpdate.

We strongly encourage you to take the following steps to detect and remove any unwanted files that may be present on your Mac as a result of these downloads.

2. Launch the AppleScript application, the script will run and will show one of the following two messages

3. If bitcoin miner files were detected and deleted, restart your Mac to finalize the process.

MacUpdate takes the security of Mac users very seriously. We regret any disruption this may have caused. Thanks to the help of the MacUpdate community, we were able to quickly identify this threat and contain its spread by removing the malicious links. If you have any questions or concerns regarding this issue, you can reach out to us at support@macupdate.com.

Given the high quality of your commentaries, I’m disappointed to see you go from a single incident (sample of one) and generalize to all such software aggregators. Interestingly, you never mentioned any other software aggregators including the one you alluded to as being “My favourite has not been MacUpdate, thankfully, which in the last few days has once again been found to have been inadvertently distributing malware by proxy.” Why don’t you tell us your favorite so we might take advantage of its malware-free service?

Every software distribution service available for public use, including Apple, may get hit with malware. Yes, it has happened to MacUpdate. But it is a little unfair to bash them considering this has seldom happened over many millions of cleanly delivered software. I have used them regularly without any problems so far. I did download the recent FireFox 59.0.2 but never installed it.

Perhaps MacUpdate should move to a pay for play exclusive model so they can generate cash to pay for verifying all new links and software. It is a bit too easy for those who like to play these games can slip malware into our systems. When it comes to Mac software there really are only two aggregators most know – MacUpdate and CNet. The latter hardly holds a candle to the former.

In science, it’s always bad practice to generalize to a population from a small sample of one (or even three.)

This isn’t, as I pointed out, the first time that this service has been hit: there was Eleanor some years ago, and their own PUP. However, my biggest issue is not with them being hit – as you point out it has happened to many including Apple – it has been their appalling lack of communication. Indeed, not lack of communication, actual secrecy.
Their incident response was very poor too, in that they continued to serve links to other malware after they had been informed that Firefox was delivering malware, and clearly had neither taken their site offline nor properly investigated or addressed the first malware link.
Compare this with the actions by Eltima, for example.
How many times does any user want to go through this before they realise that aggregators are particularly vulnerable, and this one proved easy pickings?
This is not about statistical sampling, but about the response of a service to which many pay subscriptions.
Howard

(Back on a Mac rather than my iPhone now.)
But above these issues with one specific incident with one aggregator is the more general question as to why we should continue to trust such services. In another comment I have revealed that I have used former MacTracker/VersionTracker/CNet, whose ‘service’ has been so slow and broken that getting it to deliver anything has been something of a miracle. Perhaps that has been just as well in the last few days!
Although I will probably keep a watch on their pages, I for one am through with using them or any other aggregator to provide download links, let alone updates. You don’t need a large sample size to realise that this is not the last time that an aggregator will get hit, and I don’t want to be caught the next time, thank you. In the current threat landscape, putting blind trust in any service like this is courting disaster.
Howard.

Unfortunately, this problem hits too many sources. Some are open, others not so much. Apple is far worse than MacUpdate where it comes to silence. I’m afraid that silence is hardly a sin in this case. The problem stems from those gaming the system, not the system itself. The louder you proclaim the more likely it is that they will hide in a shell of silence to prevent loss of business. They need users in order to sell advertising space on their site.

I’ve seen this happen in the past where an event like this one was blown out of proportion by one person (not you) whose goal was to drive MacUpdate out of business. When I tried pointing out to him what I stated previously he attempted to destroy me. But no matter how hard one tries the Truth will out. It is better to work with these people as best we can because we need their support. You do more service to the Mac community by alerting users to be careful when using services like MacUpdate rather than scaring them away altogether.

The irony is that I had been using MacUpdate primarily to stay current with security updates to third party software, and, as far as I can tell, the only malware infection I’ve had in several years was delivered by…MacUpdate.

Well, if you use the same service most all of the time then there is a mistake, most likely it will be from the place you use the most. I have been using them for years for new software, updates, replacements, etc. without having a problem. I have passed on links to others all over the world but no has complained that I had passed them malware. Even given I did but no one gave me hell for it suggests it didn’t happen very often.

I am sorry to have heard of this latest fiasco, but I will continue using them. It isn’t as if they do this on purpose. Everyone makes mistakes. After all a little under half the people in the US voted for Clinton. But let’s not go there.